search

lirantal / lockfile-lint

Lint an npm or yarn lockfile to analyze and detect security issues
Apache License 2.0
780 stars 35 forks source link

lockfile-lint failed parsing a URL object from given host value so using as is #138

Closed glensc closed 1 year ago

glensc commented 1 year ago

Expected Behavior

Current Behavior

Updated from "lockfile-lint": "^3.0.1" to "lockfile-lint": "^4.8.0"

And getting errors like:

+ export 'DEBUG=*'
+ lockfile-lint --validate-https '--allowed-hosts=npm.example.net' '--path=yarn.lock'
2022-09-22T18:24:54.891Z lockfile-lint parsed the following options: {"_":["/usr/local/bin/node","/usr/bin/lockfile-lint"],"validate-https":true,"s":true,"validateHttps":true,"allowed-hosts":["npm.example.net"],"a":["npm.delfi.net"],"allowedHosts":["npm.example.net"],"path":"yarn.lock","p":"yarn.lock","e":true,"empty-hostname":true,"emptyHostname":true,"f":"pretty","format":"pretty","$0":"/usr/bin/lockfile-lint"}
2022-09-22T18:24:54.892Z lockfile-lint invoking validator for: validateHttps
2022-09-22T18:24:54.893Z lockfile-lint validate-host-manager invoked with validator options: true
2022-09-22T18:24:55.163Z lockfile-lint validator validateHttps reported no issues
2022-09-22T18:24:55.163Z lockfile-lint invoking validator for: validateHosts
2022-09-22T18:24:55.163Z lockfile-lint validate-host-manager invoked with validator options: ["npm.example.net"]
2022-09-22T18:24:55.433Z lockfile-lint failed parsing a URL object from given host value so using as is: npm.example.net

the failed parsing a URL is printed like 1000 times. I guess for every item in yarn.lock file.

Possible Solution

Roll back to 3.0.1 version.

Steps to Reproduce (for bugs)

  1. yarn add lockfile-lint@4.8.0
  2. export 'DEBUG=*'
  3. lockfile-lint --validate-https '--allowed-hosts=npm.example.net' '--path=yarn.lock'

Context

Your Environment

lirantal commented 1 year ago

Hi @glensc, thanks for reporting the issue. Can you please provide a reference lockfile so I can reproduce the issue?

lirantal commented 1 year ago

Ok, I was able to reproduce locally. Indeed the update to use new URL() and parse the host from it isn't strictly needed for the validate-host option which uses hosts, and not URLs, hence this noisyness debug level isn't relevant to print an error about.

I'm pushing a fix for it.

glensc commented 1 year ago

Fixed in https://github.com/lirantal/lockfile-lint/releases/tag/lockfile-lint@4.9.3 i suppose?

lirantal commented 1 year ago

Fix added in 4.9.1 but you should indeed just get the latest. Let me know if there are still any lingering issues.